----MESSAGE-BEGIN---- <1989060114352300> From: ron@ron.rutgers.edu (Ron Natalie) 2-JUN-1989 22:15:23 To: misc-security@rutgers.edu Subj: [375] Re: System Security UNICOS, at least as I saw it two years ago, had no pretense at security. It was quite easy to do things that would crash the machine, and only moderately more difficult to get unauthorized access to root. You might ring up your colleagues at NASA-AMES, who certainly have much more experience with UNICOS that I do. They're also pretty sharp on the security scene. -Ron ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060114592500> From: zeleznik@cs.utah.edu (Mike Zeleznik) 2-JUN-1989 22:39:25 To: security@rutgers.edu Subj: [537] Re: System Security > Could anyone give me a list of well known and > not so well known security holes for 4.2 and 4.3 BSD and System V (UNICOS). You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of UNIX system security. He had a paper in CompCon Spring 87. Also, "UNIX System Security" by Wood and Kochan, Hayden Books. Michael Zeleznik Computer Science Dept. University of Utah zeleznik@cs.utah.edu Salt Lake City, UT 84112 (801) 581-5617 ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906102300.AA27440@ucbarpa.Berkeley.EDU] <1989060213333700> From: simsong@idr.cambridge.ma.us (Simson L. Garfinkel) Newsgroups: misc.security Subject: ISDN Message-ID: <8906102300.AA27440@ucbarpa.Berkeley.EDU> Date: 2 Jun 89 13:33:37 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Fri Jun 2 14:33:37 1989 I am doing an article on ISDN for The Boston Globe. The artice would like to write about all of the problems with ISDN, all of the advantages, what people's experience have been (both positive and negative), and where things are going. If anybody would like to give me a call or email, and flame, this is your chance!!! Simson L. Garfinkel 409 Washington Street Cambridge, MA 02139 617-876-6111 simsong@idr.cambridge.ma ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060423205400> From: andrews@apple.com (Richard Andrews) 6-JUN-1989 7:00:54 To: misc-security@ucbvax.berkeley.edu Subj: [379] Re: DES Export From my own experience, it seems to me that DES per se is not excluded from export. It just depends on how you use it. I worked on a product, the AppleShare File Server, that uses DES to encrypt passwords, and that was granted a Commerce Jurisdiction (meaning Apple is free to export it). Clearly, we would not have been able to export it if we used DES for file encryption. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060423545700> From: cme@cloud9.stratus.com (Carl Ellison) 6-JUN-1989 7:34:57 To: linus!misc-security@ursa-major.spdcc.com Subj: [456] Re: DES export laws This is getting out of hand.... If it weren't so silly, I'd rant and rave for pages about it. What makes DES written here so secret when the one written in Finland (acc. a recent posting) isn't?????? We're locking the barn door -- with the horse inside -- but after the back wall fell down. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (of course) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060500130200> From: alo@kampi.hut.fi (Antti Louko) 6-JUN-1989 7:53:02 To: misc-security@cwi.nl Subj: [1468] Re: DES export laws > Thus, a copy of Dbase III labelled > "Not for export" cannot be used in an open lab here. Software vendors could do the following: Take their software product without any non-export stuff to some of their labs outside US. At that site, include some outside-US DES-package into their product, or even better, ship their product in relocatable form, so customer can link any encryption package with it. My DES-package can be used freely for non-commercial purposes. If a vendor ships my DES-package in source code (and optionally in relocatable code) with their product so that customer can link it together himself, I consider this as non-commercial use. The idea is that the customer could do the same even if the vendor wouldn'n provide the DES-package. If the vendor packages their product and DES together (eg. linking them into an executable) I consider this as a commercial use. In my opinion: Software vendors should ship all their software also in reloacatable form!! My DES-package is available by ftp at kampi.hut.fi (128.214.3.9) at directory /alo/ ------------------ alo@santra.UUCP (mcvax!santra!alo) Antti Louko alo@hut.fi Helsinki University of Technology alo@fingate.bitnet Computing Centre alo%fingate.bitnet@cunyvm.cuny.edu SF-02150, Espoo FINLAND tel. +358 0 4514314 ------------------ ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060515344300> From: Doug Claar 6-JUN-1989 23:14:43 To: security@pyrite.rutgers.edu Subj: [542] Re: Security Digest > I'm always amused by the notion of "tamper-resistant" envelopes. I Yes, what about the 'see-thru' spray being sold by Sharper Image, or some such company. "Makes envelopes transparent without leaving a trace!" The post office is not amused, but I don't think they can do much about it, since there is (in tiny type, at least in the ad), a warning that using the spray on U.S. Mail is against the law. Doug Claar HP Computer Systems Division UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar ARPA: dclaar%hpda@hplabs.HP.COM ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060516145900> From: "MOG::REX"@isdmnl.menlo.usgs.gov (Rex Sanders) 6-JUN-1989 23:54:59 To: security@pyrite.rutgers.edu Subj: [675] RE: passwords On our 4.3 BSD Unix system, we have three people that need root permissions. We used to all know the root password. Then, a security directive came around: one account, only one person knows the password. We set up three accounts, with names other than "root", and uid 0, gid 1. Each account has it's own password, and I changed the "root" password to something I've already forgotten. We put hooks in /.login and /.cshrc to source files of our own. This scheme has worked fine for several years now. To help other users identify "root" users when logged in, we named the other accounts with root vegetable names - mine is "radish". -- Rex rex@isdmnl.menlo.usgs.gov ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060516514200> From: deh@eng.umd.edu 7-JUN-1989 0:31:42 To: AI.CLIVE@mcc.com Subj: [599] Re: password security Cc: security@pyrite.rutgers.edu there are envelopes that close with a holographic foil that is then embossed. The image is somewhat unique in that it has a serial number on(in?) it, visible. Since they are serial numbered, you can't just replace it, and they seem to be very fragile in that you can not peal them off without a lot of visible and obvious damage. Of course, they are most likely VERY expansive, (yow! I think I meant expensive!) since I only know of one place that uses them at all, and only then for very sensitive things, and they DON'T like it when people take them home for their kids to play with ! Doug ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906140035.AA05195@ucbarpa.Berkeley.EDU] <1989060518382400> From: lekash@ORVILLE.NAS.NASA.GOV (John Lekashman) Newsgroups: misc.security Subject: System Security Message-ID: <8906140035.AA05195@ucbarpa.Berkeley.EDU> Date: 5 Jun 89 18:38:24 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 12 Approved: security@rutgers.edu Posted: Mon Jun 5 19:38:24 1989 UNICOS, at least as I saw it two years ago, had no pretense at security. Things are getting better. They now very quickly get bug repairs in, at least in the networking area. In fact, CRI is the fastest vendor we have at applying and releasing discovered security bug repairs. (Except vaxes running BSD, but thats a special case.) So, if you find something, tell them. If its real, and gets back to Minnesota, it gets fixed. john ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906210607.AA22318@ucbarpa.Berkeley.EDU] <1989060521203200> From: faigin@AEROSPACE.AERO.ORG Newsgroups: misc.security Subject: Looking for Conferences or Seminars on Security Message-ID: <8906210607.AA22318@ucbarpa.Berkeley.EDU> Date: 5 Jun 89 21:20:32 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 13 Approved: security@rutgers.edu Posted: Mon Jun 5 22:20:32 1989 Someone in our company asked me for information on conferences or seminars that might provide somebody with background on DoD regulations and requirements for computer security, including regulations about TEMPEST. As I am more involved with multi-level computer security (as opposed to the DoD side of things), I though I might toss out the request. Does anyone know of conferences or seminars which might fit the bill? Daniel Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149 Home :8333 Columbus Avenue #17 * Sepulveda CA 91343 * 818/892-8555 Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest" ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906202155.AA18947@ucbarpa.Berkeley.EDU] <1989060611521900> From: peter%ficc@UUNET.UU.NET (Peter da Silva) Newsgroups: misc.security Subject: Re: GNU, security, and RMS Message-ID: <8906202155.AA18947@ucbarpa.Berkeley.EDU> Date: 6 Jun 89 11:52:19 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 18 Approved: security@rutgers.edu Posted: Tue Jun 6 12:52:19 1989 > No security on the computer is similar to allowing anyone to come into > your office and look at anything they please, and also to allow them to > change anything they please. I doubt if many people would like this. I think you have this backwards. In no place I have worked has there been any security protecting the contents of people's offices from such intrusion, at least below management levels. In school, however, personal security is taken much more seriously. Every TA and advisor has a lock on their door, lockers for students are available in most buildings, etc... Security in computer systems at the typical commercial/industry site is mainly to (1) keep intruders out, and (2) keep people from accidentally damaging each others files. And both of these are useful features. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060614522900> From: "John Schlosser" 7-JUN-1989 22:32:29 To: "Security List" Subj: [666] Car locks From what I've seen, the "club" only blocks the steering wheel from turning more than a few degrees any way because of the way the club is attached. This works great if a would-be thief has the intention of driving away with your car, but what if he/she/it just wants to strip it bare of anything that's in it? A large metal pole that's attached to the steering wheel isn't going to do much good then, will it? John P. Schlosser (URSJ@MARISTC) Student Staff Programmer Marist College Computer Center .Nothing I say in any way reflects anyone's opinion other than my own. .I am not affiliated with THE CLUB's makers, distributors, advertisers or anyone else. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060615231600> From: barnett@unclejack.crd.ge.com (Bruce Barnett) 7-JUN-1989 23:03:16 To: security@pyrite.rutgers.edu Subj: [930] Re: Medeco Keys >On the other hand, picking a Medeco lock is again, significantly more >difficult than other locks. I was talking to someone selling home security units. He laughed at a Medeco lock, saying someone invented a device that lets you pick/defeat it in minutes. Of course he wanted to sell me HIS security system. -- Bruce G. Barnett a.k.a. uunet!crdgw1.ge.com!barnett [Moderator tack-on: He was probably talking about the various Medeco "mapping" devices, that were actually patented at one point. I doubt if these tools were ever marketed to locksmiths; they utilized some weaknesses of the cylinder in really bizarre twisted ways, such as shoving a small wire up the twist-limiting guide slot to feel where the top of the pin was.You would still have to cut a key based on what the tool told you. You might ask this fellow if he ever *saw* these tools being used... _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060619093700> From: hollombe@ttidca.tti.com (The Polymath) 8-JUN-1989 2:49:37 To: misc-security@sdcsvax.ucsd.edu Subj: [749] Re: car locks } hi, have you heard of the latest lock for vehicles ... called the "Club". Probably a little less secure than with the type of lock that runs from the steering wheel to the brake or clutch pedal. (The "Club" just locks on the steering wheel, making it difficult or impossible to turn completely around). I'd guess a large pair of bolt-cutters would get either one off in a few seconds. (If they won't cut the lock, cut the steering wheel. Car thieves aren't known for finesse). -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060619421800> From: Jeff Makey 8-JUN-1989 3:22:18 To: security@rutgers.edu Subj: [1224] Re: High-Tech Knife I carry an ordinary Boy Scout knife in my pocket the same as I carry my wallet and keys. When I fly, I usually just put the knife and other metal objects I have into my briefcase to be x-rayed and I have never had any problems. About a month ago I went through airport security (in San Diego) without anything to be put on the x-ray belt, so I just pulled the knife out of my pocket and placed it on one of those little trays they have for change and stuff. As I walked through the metal detector the guard picked up my knife and looked at it. He opened the blade part-way (perhaps to see if it was a switch-blade? or to check the size of the blade?), closed it, and gave it back to me without comment. A similar thing happened about 9 years ago in Chicago, except the guard told me, "just don't kill anybody." Seriously! It sounds as if the airline security folks are fairly sensible about the types of things you can and can't take on an airline with you. I would be shocked if they tried to prevent me from taking on board my mechanical pencil, which is a pointed metal object about the same length as my open Boy Scout knife. :: Jeff Makey Makey@LOGICON.ARPA ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906282138.AA12713@ucbarpa.Berkeley.EDU] <1989060619503800> From: pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?) Newsgroups: misc.security Subject: DECUS Security SIG Message-ID: <8906282138.AA12713@ucbarpa.Berkeley.EDU> Date: 6 Jun 89 19:50:38 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 12 Approved: security@rutgers.edu Posted: Tue Jun 6 20:50:38 1989 Is there anyone on this list who took part in any of the sessions at the Spring DECUS (Atlanta) on forming a Security SIG? I haven't heard from anyone since then, and my management wants to know where it is going. Please reply directly to me. Dillon Pyron | The opinions are mine, the facts TI/DSEG Lewisville Computer Services | probably belong to the company. pyron@lvvax1.csc.ti.com | (214)462-5449 | We try, we learn, sometimes we die. | We sit on our butts, learn nothing, | and we still die. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060619551800> From: lamaster@ames.arc.nasa.gov (Hugh LaMaster) 8-JUN-1989 3:35:18 To: misc-security@ames.arc.nasa.gov Subj: [1927] Re: Consensus on locks? I have seen many postings on a variety of problems with so-called high security standard-cylinder-type locks. While no such lock is perfect, it would seem that there might be a consensus that some particular product line is the least likely to be easily picked or forced by garden- variety burglars, and may even slow down an expert. If there is such a consensus on a company/product line, I would appreciate knowing what it is. A sort of related question is: I have seen locks with automatic "dead bolts" - meaning, locks in which opening the door with a key from the outside (not in the handle) pulls back a full-sized spring loaded bolt, which closes when the door is closed. The obvious idea is to prevent "loiding" (I think this is the term...), and also to provide more resistance to forcing than the relatively narrow bars which are used on some locks for the same purpose. Does anyone know the availability of these locks and whether they have any advantage over the standard narrow bar type? (I am no lock expert, in case it isn't obvious :-) ). I assume that such a lock would have to be well lubricated to allow the torque of a key to open a large bolt, but what other disadvantages are there? Hugh LaMaster, m/s 233-9, UUCP ames!lamaster NASA Ames Research Center ARPA lamaster@ames.arc.nasa.gov Moffett Field, CA 94035 Phone: (415)694-6117 [Moderator toss-in: The usual way manufacturers of spring-loaded latches prevent carding, loiding, sliding, whatever you want to call it, is to provide an extra latch piece that is pushed into the mortise edge when the door is closed, and engages a catch that prevents the main latch from being pushed in. These are well-known to, um, not work in many installations. The sure- fire way to lock the door is a dead bolt or better, but you can't just slam the door closed. If you're a chronic loser of keys, this could be good! _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060702444100> From: Stephen Wadlow 8-JUN-1989 10:24:41 To: biocca@bevb.bev.lbl.gov (Alan Biocca), misc-security@ucbvax.berkeley.edu Subj: [791] Re-keying [Was: Re: MEDCO locks] Rekeying is feasible depending on the availability of pins. Many cylinders use a fairly standard pin (.115 in diameter, frequently in .003 or .005 increments). Medeco and a few other companies (Best comes to mind) use different size pins that aren't as easily available. Medeco also requires very specific types of pins if they are addressing the sidebar, otherwise, other pins are useless. What I would really like to see is more venders going to the hex-nut caps that medeco uses. It would make re-keying much easier and quicker. steve ====================================================================== Stephen G. Wadlow Internet: stephen.wadlow@andrew.cmu.edu Bitnet: wadlow@drycas "Hey Man, A ship in harbor is safe, but that ain't what ships are for" ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906140108.AA05412@ucbarpa.Berkeley.EDU] <1989060704391100> From: svh@XAIT.XEROX.COM (Susan Hammond) Newsgroups: misc.security Subject: Re: Security Digest Message-ID: <8906140108.AA05412@ucbarpa.Berkeley.EDU> Date: 7 Jun 89 04:39:11 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 18 Approved: security@rutgers.edu Posted: Wed Jun 7 05:39:11 1989 There are cheap low-tech ways to make an envelope really tamper-resistant-- or to make tampering obvious. Easiest is to enclose the item in question in aluminum foil before you put it into the envelope. Also, you can enclose the whole envelope in two clear sheets of contact paper. For a #10 envelope, cut two sheets about 4" by 10", peel the backing off, place the envelope on one, cover with the other, and leaving about 1/2 to 1" of contact paper around the edges of the envelope, trim the contact paper edges to be even to make it difficult to get a grip on a single sheet. If someone tries to remove it it is pretty obvious. Putting a signature on the envelope (as suggested in an earlier posting?) helps you detect an attempt to substitue a new envelope for the damaged one. -- ------------------------------------------------------------------ Susan Hammond/CCA svh@XAIT.Xerox.COM {decvax,linus,mirror}!xait!svh ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060709303800> From: hal@gateway.mitre.org (Hal Feinstein) 8-JUN-1989 17:10:38 To: -v@gateway.mitre.org, security@pyrite.rutgers.edu Subj: [633] very fast DES is near Cc: infsecur@smiley.mitre.org I've just gotten the word that a substantially reworked version of DES will soon become public. The version eliminates the piple-line structure of FIPS 46 and replaces many of the bit picking that slows most computer implementations. I havn't been told how much of a speed up this will have over the FIPS 46 version of the algorithm. The new version has eliminated some of the "rounds" structure of the current algorithm and still computes the same DES process. Speculation is that it will make file and bulk based DES faster and less expensive and will provide a base for faster IC implementations. More as I find it out. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060709405300> From: "David D. Grisham" 8-JUN-1989 17:20:53 To: security@ubvm Subj: [994] PC Network Security Has anyone had experience with fileserver security? I am reviewing our new fileserver proposed setups. Novel SFT 2.15 and Appleshare 2.0 in a 50 station pod. What safeguards are you all using? Any hacker or virus problems? General and specific information would be appreciated. Also, we are going to keep stats on use (Saber on Novel). What menu/usage tracking software are you using and is it safe and effective? In return I can help with Mac specific viruses with policies and tools. On the DOS side we have been using notchless disks in our remote pods- Novel looks like a potential problem- yes or no? We have been running an Appleshare for a year and have it up, running, and safe 99% of the time in a small lab. Dave Grisham, Senior Consultant/Virus Security Phone (505) 277-8148 Computer & Information Resources & Technology University of New Mexico USENET DAVE@UNMA.UNM.EDU Albuquerque, New Mexico 87131 BITNET DAVE@UNMB ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060714314800> From: viusys!rwb@daitc.mil (Rick Butland) 8-JUN-1989 22:11:48 To: security@rutgers.edu Subj: [382] Encryption Software For PC's As the subject says, is anyone aware of a software package that will encrypt files on DOS? Actually, what's desired is the ability to compose a msg on a PC, encrypt it, and mail it to another PC user, where both PC's are attached to a Unix host. Most likely, though, rather than mail, the messages will just be uploaded/downloaded. Thanks in advance, Rick Butland (rwb@viusys) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060714480100> From: SIANI@nssdca.gsfc.nasa.gov 8-JUN-1989 22:28:01 To: security@rutgers.edu Subj: [3542] RE: Kevin Mitnick >Attorneys said yesterday they are negotiating a second plea >bargain for computer hacker Kevin Mitnick Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use a phone". "He could ruin your life with his keyboard". "Armed with a keyboard and considered dangerous." These are some of the things that have been said about this person. All of this media hype would be fine if it just sold news papers. But it has done much more then just sell a few papers. It has influenced those that will ultimately decide his fate. I myself don't know the man, but I have talked to others that do. Including one of the persons that investigated Mitnick. From all I have heard about him, I think he is a slime ball! But even a slime ball should not be railroaded into a prison sentence that others of equal or greater guilt have avoided. I personally feel the man is just a criminal, like the guy that robs a 7/11, no better but certainly not any worse. Unfortunately he is thought of as some kind of a "SUPER HACKER". The head of LA Police Dept's Computer Crime Unit is quoted as saying "Mitnick is several levels above what you would characterize as a computer hacker". No disrespect intended, but a statement like this from the head of a computer crime unit indicates his ignorance on the ability of hackers and phone phreaks. Sure he did things like access and perhaps even altered Police Dept. criminal records, credit records at TRW Corp, and Pacific Telephone, disconnecting phones of people he didn't like etc. But what is not understood by most people outside of the hack/phreak world is that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME. In the hack/phreak community such manipulation of computer and phone systems is all to easy. I see nothing special about his ability to do this. The only thing special about Kevin Mitnick is that he is not a "novice" hacker like most of the thirteen year old kids that get busted for hacking/phreaking. It has been a number of years since an "advanced" hacker has been arrested. Not since the days of the Inner Circle gang have law enforcement authorities had to deal with a hacker working at this level of ability. As a general rule, advanced hackers do not get caught because of there activity but rather it is almost always others that turn them in. It is therefore easy to understand why his abilities are perceived as being extraordinary when in fact they are not. Because of all the media hype this case has received I'm afraid that: 1.) He will not be treated fairly. He will be judged as a much greater threat to society then others that have committed simular crimes. 2.) He will become some kind of folk hero. A Jesse James with a keyboard. This will only cause other to follow in his footsteps. I'm not defending him or the things he has done in any sense. All I'm saying is lets be fair. Judge the man by the facts, not the headlines. Disclaimer: The views expressed here are my own. Kenneth Siani Sr. Security Specialist Information Systems Div. NYMA Inc. Internet Mail: siani@nssdca.gsfc.nasa.gov ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906102334.AA27671@ucbarpa.Berkeley.EDU] <1989060721350000> From: WMURRAY@dcm1wm.das.net Newsgroups: misc.security Subject: Export of the DES Message-ID: <8906102334.AA27671@ucbarpa.Berkeley.EDU> Date: 7 Jun 89 21:35:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 66 Approved: security@rutgers.edu Posted: Wed Jun 7 22:35:00 1989 >Not long ago I got inside word that AT&T had asked for a determination >of the export status of their UNIX crypt routines, the outcome of which >was essentially that individual approval would have been readily obtained, >but not blanket "warehouse" approval. This seems pretty silly to me.. It is not silly if you believe your self to be required by law to keep track of every instance. >From my own experience, it seems to me that DES per se is not excluded from >export. It just depends on how you use it. DES is not excluded from export. However, it must be licensed. It is easy to get a license for DES in hardware. It is easy to get a license for a one-way implementation of DES in software. It may be possible to get a license to export a reversible version of the DES in software provided that it is so embedded in an application that it cannot be used to encrypt an arbitrary file or msessage. It is practically impossible to get a license to export a software implementation of a general purpose and revesible verion of DES (or indeed any other algorithm for that matter.) Such implementations have the potential for turning any mini or micro into a crypto engine. This might fill the ether with traffic that cannot be readily recognized, raising the cost of signals intelligence gathering. >What makes DES written here so secret when the one written in Finland >(acc. a recent posting) isn't?????? The issue is not secrecy; it is replicability. Note that hardware implementations cannot be easily copied or modified. If you can keep track of the incidents of hardware, but would have more difficulty in keeping track of copies of software, then you might be interested in discouraging software. If the work factor for reading the DES was N, but that of reading a variant is >N then one might be motivated to discourage variants. >We're locking the barn door -- with the horse inside -- but after the >back wall fell down. One does what one can do. This is particularly true if one believes oneself to be mandated by law to do so. These observations are based upon many years of observing this issue. While I have often discussed them in front of officers of the NSA, they have never commented on them. Neither have they ever attempted in any way to influence me. I suspect that the area is classified and that they are unable to confirm or deny. I am not now, have never been, and do not ever expect to be an agent of the NSA. While I am a guest on DOCKMASTER, this message originates on MCI Mail. ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Whinney MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A -------------------------------------------------------------------- ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906220234.AA01106@ucbarpa.Berkeley.EDU] <1989060816122600> From: strauss@AEROSPACE.AERO.ORG (Daryll Strauss) Newsgroups: misc.security Subject: Re: High-Tech Knife Message-ID: <8906220234.AA01106@ucbarpa.Berkeley.EDU> Date: 8 Jun 89 16:12:26 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 19 Approved: security@rutgers.edu Posted: Thu Jun 8 17:12:26 1989 I carry my Swiss Army knife with me all the time, and my usual routine is to hand it to the security gaurd on my way through the metal detector. They usually don't bother to open it, but when they do, they are checking that the blade is less than 3 and 1/2 inches long. I believe that is the current FAA limit. The security people are reasonable, and some of them even have a sense of humour! I got quite a chuckle when I was returning from a trip to Mexico. I was 18 (and looked younger), and I was carrying 2 liters of Tequila. The security gaurd X-ray'd my bag and just laughed. It wasn't his job to stop minors from drinking! The thing that is much more scarey is when I was leaving Pittsburgh on one trip and forgot to remove my knife and the metal detector did NOT go off! That really made me worry. ------------------------------------------------------------------------------- Daryll Strauss f The Aerospace Corp. strauss@aerospace.aero.org n Mail Stop: M1-102 ..!uunet!aero.org!strauss o P.O. Box 92957 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060914495900> From: simsong@idr.cambridge.ma.us (Simson L. Garfinkel) 10-JUN-1989 22:29:59 To: elbows@bloom-beacon.mit.edu, security@rutgers.edu Subj: [435] ISDN I am doing an article on ISDN for The Boston Globe. The artice would like to write about all of the problems with ISDN, all of the advantages, what people's experience have been (both positive and negative), and where things are going. If anybody would like to give me a call or email, and flame, this is your chance!!! Simson L. Garfinkel 409 Washington Street Cambridge, MA 02139 617-876-6111 simsong@idr.cambridge.ma ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060915151700> From: leichter@cs.yale.edu (Jerry Leichter (LEICHTER_JERRY@CS.YALE.EDU)) 10-JUN-1989 22:55:17 To: misc-security@uunet.uu.net Subj: [1293] Re: DES export laws Try substituting "tanks" for "DES implementations". There are many manufac- turers of tanks in the world; their products are not subject to US control. Should the US therefore be willing to export tanks to anyone who wants them? One can certainly criticise the export controls that now exist for being poorly stated, or ineffective, or any of a variety of other things. Certainly the way they ARE stated can make them look very silly. But it bothers me to see a complete unwillingness to understand that there is a real, underlying issue here. Suppose the US manufactured military radios containing very strong encryption technology. Should we be willing to sell those to anyone who wanted them? Suppose the basic technology for the radios was readily available, but the encryption chips that made the radios used secret technology. Should we sell the encryption chips to anyone who asks? If your answer to this question is different from the previous one, can you explain why? Now suppose the algorithms of the encryption chips were public knowledge, but actually implementating them as chips with sufficient speed, reliability, low power consumption, whatever, was very hard. Does your answer change? Lines are hard to draw. But laws require them to be drawn. -- Jerry ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989060915280400> From: WMURRAY@dcm1wm.das.net 10-JUN-1989 23:08:04 To: security@rutgers.edu Subj: [3350] Export of the DES >Not long ago I got inside word that AT&T had asked for a determination >of the export status of their UNIX crypt routines, the outcome of which >was essentially that individual approval would have been readily obtained, >but not blanket "warehouse" approval. This seems pretty silly to me.. It is not silly if you believe your self to be required by law to keep track of every instance. >From my own experience, it seems to me that DES per se is not excluded from >export. It just depends on how you use it. DES is not excluded from export. However, it must be licensed. It is easy to get a license for DES in hardware. It is easy to get a license for a one-way implementation of DES in software. It may be possible to get a license to export a reversible version of the DES in software provided that it is so embedded in an application that it cannot be used to encrypt an arbitrary file or msessage. It is practically impossible to get a license to export a software implementation of a general purpose and revesible verion of DES (or indeed any other algorithm for that matter.) Such implementations have the potential for turning any mini or micro into a crypto engine. This might fill the ether with traffic that cannot be readily recognized, raising the cost of signals intelligence gathering. >What makes DES written here so secret when the one written in Finland >(acc. a recent posting) isn't?????? The issue is not secrecy; it is replicability. Note that hardware implementations cannot be easily copied or modified. If you can keep track of the incidents of hardware, but would have more difficulty in keeping track of copies of software, then you might be interested in discouraging software. If the work factor for reading the DES was N, but that of reading a variant is >N then one might be motivated to discourage variants. >We're locking the barn door -- with the horse inside -- but after the >back wall fell down. One does what one can do. This is particularly true if one believes oneself to be mandated by law to do so. These observations are based upon many years of observing this issue. While I have often discussed them in front of officers of the NSA, they have never commented on them. Neither have they ever attempted in any way to influence me. I suspect that the area is classified and that they are unable to confirm or deny. I am not now, have never been, and do not ever expect to be an agent of the NSA. While I am a guest on DOCKMASTER, this message originates on MCI Mail. ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Whinney MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A -------------------------------------------------------------------- ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906231854.AA21421@ucbarpa.Berkeley.EDU] <1989061016350600> From: ijk@cbnewsh.att.com (ihor.j.kinal) Newsgroups: misc.security Subject: Re: car locks Message-ID: <8906231854.AA21421@ucbarpa.Berkeley.EDU> Date: 10 Jun 89 16:35:06 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Sat Jun 10 17:35:06 1989 Wondering thru the local car parts store, I came across a device to make your steering wheel DETACHABLE!!! REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves. Cost - around $80. If I owned a Ferrari, I might get one - but I'd check first that it did not release TOO easily - might be a bit disconcerting if you reach out to adjust the tilt, and instead wind up disconnecting!!! Ihor Kinal cbnewsh!ijk [standard disclaimer applies] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061018193700> From: gwyn@brl.mil 12-JUN-1989 1:59:37 To: security@rutgers.edu Subj: [298] Re: password security >But what if the new version of crypt is not public ... ? One of the first rules of cryptography is to assume that the "opposition" knows all about the general system and is deprived only of the specific keys used for encryption. Experience has shown this to be a good approximation to reality. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061018441200> From: Fred Blonder 12-JUN-1989 2:24:12 To: cme@cloud9.stratus.com (Carl Ellison) Subj: [488] Re: password security Cc: linus!misc-security@ursa-major.spdcc.com You don't have to erase old encrypted passwords when you change algorithms -- just be prepared to accept either, for a while -- Or just silently store the new encryption. In fact, changing the encryption algorithm on a regular basis, combined with accepting either the current or previous encryptions, would be one way of implementing password aging, assuming you really want to do that. ---- Fred Blonder David Taylor Research Center (202) 227-1428 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061018550700> From: gregm@csd4.milw.wisc.edu (Greg Mumm) 12-JUN-1989 2:35:07 To: misc-security@uunet.uu.net Subj: [597] Tracing license numbers I have noticed that reporters and local security officials have the ability to trace auto license plates. Does anyone know how this is done? Seems unlikely that they call up the local police department and ask because anyone could do that! What is the probability that a common citizen could find out the address of the person who cuts us off on the freeway via his license number and then proceed to visit him (or her) in person? :-) Any suggestions? Internet: gregm@csd4.milw.wisc.edu / arpa!gregm@csd4.milw.wisc.edu Uucp: uwvax!uwmcsd1!uwmcsd4!gregm Csnet: gregm%uwmcsd4@uwm Greg Mumm ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906290145.AA16342@ucbarpa.Berkeley.EDU] <1989061105223300> From: gwyn@BRL.ARPA (Doug Gwyn) Newsgroups: misc.security Subject: Re: DES export laws Message-ID: <8906290145.AA16342@ucbarpa.Berkeley.EDU> Date: 11 Jun 89 05:22:33 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 13 Approved: security@rutgers.edu Posted: Sun Jun 11 06:22:33 1989 >Try substituting "tanks" for "DES implementations". There is a fundamental difference. Tanks can obviously be used to assault you, to violate rights of individuals on a large scale. Effective encryption technology could be used to prevent your eavesdropping, to protect the rights of persons communicating. I see no way to claim that NSA or anyone else has a "right" to be able to snoop on other people's conversations. I don't dispute that such snooping can produce useful information, but it is not information to which we are in principle entitled. As much as I love cryptanalysis, I would welcome a world in which people can be sure their communications are secure against snoops. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061114230400> From: Mr. Stanley Cup 12-JUN-1989 22:03:04 To: @uxv.larc.nasa.gov:security@pyrite.rutgers.edu Subj: [798] password security > You don't have to erase old encrypted passwords when you change > algorithms -- just be prepared to accept either, for a while -- How about having both algorithms available for a "real short" time and do this with them: if (strcmp(new_crypt(reply ,salt),pass) == 0) { /* all is ok, let 'em in */ } else if (strcmp(crypt(reply, salt), pass) == 0) { new_version_pass = new_crypt(reply,salt); /* update the passwd file */ /* let 'em in */ } else { /* password was no good, do whatever */ } After all of your users have logged in at least once, you then have all of their passwords converted to the new algorithm without ever knowing what their password is/was and the user will not know that anything was done to the encryption algorithm for logging in. -=>gretzky<=- .mitch ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061114375400> From: zeleznik@cs.utah.edu (Mike Zeleznik) 12-JUN-1989 22:17:54 To: security@pyrite.rutgers.edu Subj: [1198] Re: password security Assuming you could keep the binary secure, isn't there always the old argument that you should not base the security of a crypto system on the secrecy of the algorithm, in general? "GOOD" ciphers are hard to design; the average person doesn't just come up with a new one overnight. Once you figure yours has sufficiently leaked out, you'll have to design another one; EACH time. The NSA seems willing to do this (with the new crypto systems), but I would think the algorithm secrecy exists more as an added nuisance than a requirement. They must figure it can't stay secret for very long. What about sticking with the current crypt, but just change the constant. Now you only have to keep a single number secret, and you can afford to change it very often. Further, using the scheme mentioned earlier, the login could recognize both the old and new crypt constant. Couldn't it then simply generate the new crypt'd password when it needs to (or is this too dangerous?)? Mike Michael Zeleznik Computer Science Dept. University of Utah zeleznik@cs.utah.edu Salt Lake City, UT 84112 (801) 581-5617 ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906290404.AA18088@ucbarpa.Berkeley.EDU] <1989061203040700> From: G.D.Shaw@DURHAM.AC.UK Newsgroups: misc.security Subject: Re: DES Export Laws Message-ID: <8906290404.AA18088@ucbarpa.Berkeley.EDU> Date: 12 Jun 89 03:04:07 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 39 Approved: security@rutgers.edu Posted: Mon Jun 12 04:04:07 1989 > Try substituting "tanks" for "DES implementations". This is not a valid analogy. Once you have one copy of a DES algorithm, then it is easy to create as many as you like; the same is not true of military hardware. Therefore, even if your enemy has a given number of tanks, or of guns or whatever, it is still in your interest not to give him any more. With software, he only needs to buy or steal one, so if you are going to try to prevent the DES falling into the 'wrong hands', that security must be complete: 1. If the software is on open sale in the US, then you may as well sell it in Moscow too - at least that way, they might pay for it instead of buying one copy in the US and pirating the rest. There is certainly no point in banning it from NATO or neutral countries. 2. If you really want to stop the Russians getting hold of it, then you need strict regulations in the US as well - but if this was effective you would probably have had to prevent any commercial use of the product and restrict it to government agencies only. 3. Even if you did this, it would only be a matter of time before any hostile government was able to steal a copy; indeed, I would be surprised if the Russians are not capable of writing their own DES code. Fast DES chips are a very different matter: though it can undoubtedly be done, copying chips is not a trivial undertaking. The issues at stake are therefore essentially identical to those governing the sale of CPUs or complete computers. Software and hardware pose very different problems, and just because they both relate to the DES they should not be confused. +----------------------------------------------------------------+ | Graham Shaw, Collingwood College, South Road, Durham, ENGLAND | | JANET : G.D.Shaw @ UK.AC.DUR.MTS | | Internet : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu | | EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL | +----------------------------------------------------------------+ | "I always said there was something fundamentally wrong with | | the Universe" - Arthur Dent | +----------------------------------------------------------------+ ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061216264400> From: John Lekashman 14-JUN-1989 0:06:44 To: ron@ron.rutgers.edu Subj: [453] System Security Cc: misc-security@rutgers.edu UNICOS, at least as I saw it two years ago, had no pretense at security. Things are getting better. They now very quickly get bug repairs in, at least in the networking area. In fact, CRI is the fastest vendor we have at applying and releasing discovered security bug repairs. (Except vaxes running BSD, but thats a special case.) So, if you find something, tell them. If its real, and gets back to Minnesota, it gets fixed. john ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061216542300> From: _David C. Kovar 14-JUN-1989 0:34:23 To: security@rutgers.edu Subj: [619] Kuang >You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of >UNIX system security. He had a paper in CompCon Spring 87. This sounds like a program called 'kuang' that I've been looking for, on and off, since a network security conference in Boston a few months back. If anyone knows where one can aquire a copy of it I would be most appreciative. -David C. Kovar Technical Consultant ARPA: kovar@husc4.harvard.edu Office of Information Technology BITNET: corwin@harvarda.bitnet Harvard University MacNET: DKovar Ma Bell: 617-495-5947 "It is easier to get forgiveness than permission." ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061217041800> From: svh@xait.xerox.com (Susan Hammond) 14-JUN-1989 0:44:18 To: misc-security@linus.mitre.org Subj: [929] Re: Security Digest There are cheap low-tech ways to make an envelope really tamper-resistant-- or to make tampering obvious. Easiest is to enclose the item in question in aluminum foil before you put it into the envelope. Also, you can enclose the whole envelope in two clear sheets of contact paper. For a #10 envelope, cut two sheets about 4" by 10", peel the backing off, place the envelope on one, cover with the other, and leaving about 1/2 to 1" of contact paper around the edges of the envelope, trim the contact paper edges to be even to make it difficult to get a grip on a single sheet. If someone tries to remove it it is pretty obvious. Putting a signature on the envelope (as suggested in an earlier posting?) helps you detect an attempt to substitue a new envelope for the damaged one. -- ------------------------------------------------------------------ Susan Hammond/CCA svh@XAIT.Xerox.COM {decvax,linus,mirror}!xait!svh ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906140738.AA07872@ucbarpa.Berkeley.EDU] <1989061217232500> From: cep@APPLE.COM (Christopher Pettus) Newsgroups: misc.security Subject: Re: Tracing license numbers Message-ID: <8906140738.AA07872@ucbarpa.Berkeley.EDU> Date: 12 Jun 89 17:23:25 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Mon Jun 12 18:23:25 1989 In California, at least, automobile registration records are public information. You just go down to the local DMV, fill out a form (stating why you want the information), pay an exceptionally nominal fee that depends on how much information you gave them to do the search, and they send you the registration information. They also let the registered owner know that you did the request, however; I suppose one could use an assumed name (which, I'm quite sure, would be illegal). -- Christopher Pettus | "Ganesha Said: 'Done! The very Network Systems Development | day I was born I made my first Apple Computer, Inc. | mistake, and by that path have cep@apple.com {nsc, sun}!apple!cep | I sought wisdom ever since.'" AppleLink: PETTUS.C | - The Mahabharata (408) 974-0004 | I: A Mine of Jewels and Gems ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061223343100> From: mrc@tomobiki_cho.cac.washington.edu (Mark Crispin) 14-JUN-1989 7:14:31 To: misc-security@ames.arc.nasa.gov Subj: [727] Re: Tracing license numbers Auto registration and driver's license information is public information, available to anyone. All you have to do is go to the local licensing agency for your state, plunk down a few dollars, and you'll receive a printout. A few states, such as California, will make you give some reason for asking for the information, and will notify that person that so-and-so looked up your record. However, they don't verify the reason or so-and-so's address, etc. Mark Crispin / 6158 Lariat Loop NE / Bainbridge Island, WA 98110-2020 mrc@CAC.Washington.EDU / MRC@WSMR-SIMTEL20.Army.Mil / (206) 842-2385 [Moderator tack-on: Thanks also to the *numerous* others who have so far responded with nearly identical information... _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061223414100> From: cep@apple.com (Christopher Pettus) 14-JUN-1989 7:21:41 To: misc-security@goofy.apple.com Subj: [916] Re: Tracing license numbers In California, at least, automobile registration records are public information. You just go down to the local DMV, fill out a form (stating why you want the information), pay an exceptionally nominal fee that depends on how much information you gave them to do the search, and they send you the registration information. They also let the registered owner know that you did the request, however; I suppose one could use an assumed name (which, I'm quite sure, would be illegal). -- Christopher Pettus | "Ganesha Said: 'Done! The very Network Systems Development | day I was born I made my first Apple Computer, Inc. | mistake, and by that path have cep@apple.com {nsc, sun}!apple!cep | I sought wisdom ever since.'" AppleLink: PETTUS.C | - The Mahabharata (408) 974-0004 | I: A Mine of Jewels and Gems ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906301654.AA05716@ucbarpa.Berkeley.EDU] <1989061319355800> From: hollombe@ttidca.tti.com (The Polymath) Newsgroups: misc.security Subject: Re: Kevin Mitnick Message-ID: <8906301654.AA05716@ucbarpa.Berkeley.EDU> Date: 13 Jun 89 19:35:58 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 50 Approved: security@rutgers.edu Posted: Tue Jun 13 20:35:58 1989 }I personally feel the man is just a criminal, like the guy that robs a 7/11, }no better but certainly not any worse. A number of people have been killed in 7/11 robberies. How bad is that? }... Sure he did things like access and perhaps even altered }Police Dept. criminal records, credit records at TRW Corp, and Pacific }Telephone, disconnecting phones of people he didn't like etc. }But what is not understood by most people outside of the hack/phreak world is }that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME. Therefore Mitnick's guilt is less? More appropriately, we should throw the book at him and go after similar criminals/sociopaths just as aggressively. }1.) He will not be treated fairly. He will be judged as a much greater threat }to society then others that have committed simular crimes. That's his lawyer's problem. }2.) He will become some kind of folk hero. A Jesse James with a keyboard. Not if he's found guilty and harshly sentenced. There's little glory in 20 years behind bars with no access to his favorite toys. }I'm not defending him or the things he has done in any sense. All I'm saying }is lets be fair. Judge the man by the facts, not the headlines. Let's trust the jury to do just that. Despite the image of a chaotic court system, created by the same media hype of a few odd cases, juries, by and large, have been shown to be fairly efficient at fact finding and interpretation and ignoring media bull. BTW, my impression from the news media is that Mitnick isn't a super hacker, or even much of a hacker, at all. He's more a classic, textbook sociopath. Most of the times he gained access to systems he did so not with computer expertise, but by conning the owners into giving him the needed passwords. That ability to inspire trust, combined with the conscienceless willingness to abuse it, is a classic symptom of sociopathy. It has nothing to do with computer expertise. If he didn't know anything about computers Mitnick would probably be an embezzler or a used car salescritter. I suspect society will be much better off with him isolated and neutralized (and that should keep me off the jury, at least). -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907060417.AA08860@ucbarpa.Berkeley.EDU] <1989061420285700> From: kiravuo@KAMPI.HUT.FI (Timo Kiravuo) Newsgroups: misc.security Subject: Re: Consensus on locks? Message-ID: <8907060417.AA08860@ucbarpa.Berkeley.EDU> Date: 14 Jun 89 20:28:57 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 41 Approved: security@rutgers.edu Posted: Wed Jun 14 21:28:57 1989 >A sort of related question is: I have seen locks with automatic "dead bolts" > - meaning, locks in which opening the door with a key from the outside >(not in the handle) pulls back a full-sized spring loaded bolt, which closes >when the door is closed. I'm not sure I understood this right, but in Finland we have ABLOY locks with a keyhole on the outside and a small flat knob (not the round American type) on the outside. Towards the frame there is a small triangular piece that is pressed in by the frame and a larger (1 x 3 x 1,5 cm) rectangular piece that locks the door. You open the door from outside by twisting the key 180 degrees and pulling and lock it by pushing the door close. When the larger piece is out, you can pull it back in by twisting the knob or the key, but not by pushing it. There are some variations of the theme, but basically you can not open a lock of this type in the traditional "movie style", with a credit card or something like that. In Finland ABLOY has a major share of the lock market, and they are considered to be most secure. They are not completely secure, apparently somebody has found a way to open one. There was something about it in the papers some time ago. In the door of my apartment I have two locks. For normal use I have an ABLOY so that I can just push the door shut when I leave. When I am away for a longer time I use a German Zeiss Icon security lock that has to be shut with a key. This is a rather common practice in Finland. One thing that I always have wonderer in the states is the practice of having _round_ knobs on doors. If the lock is tight, they are really awful to turn. In Finlad we have usually decent handles, that you can turn. Much more easier. -- Timo Kiravuo Helsinki University of Technology, Computing Center kiravuo@hut.fi kiravuo@fingate.bitnet sorvi::kiravuo work: 90-451 4328 home: 90-676 076 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061901584400> From: ddefend@mcdurb.Urbana.Gould.COM 20-JUN-1989 9:38:44 To: misc-security@uxc.cso.uiuc.edu Subj: [305] auto-call-back modems I'm looking for a modem which is capable of dial-back and is advertised as being somewhat secure. I would appreciate hearing from anyone who has experience with any modem of this type. ----- Dan Defend Motorola Microcomputer Division ARPA: ddefend@urbana.mcd.mot.com UUCP: uunet!uiucdcs!mcdurb!ddefend ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061902242400> From: spaf@cs.purdue.edu (Gene Spafford) 20-JUN-1989 10:04:24 To: misc-security@gatech.edu Subj: [487] Need list of names For purposes of checking for weak passwords, I'de like to obtain a list of common names (Al, Fred, George... Alice, Kathy, Susan...) Does anybody have such a list online they'd be willing to share with me? Please e-mail -- don't post. Thanks in advance! -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061902335800> From: faigin@aerospace.aero.org 20-JUN-1989 10:13:58 To: security@rutgers.edu Subj: [748] Looking for Conferences or Seminars on Security Someone in our company asked me for information on conferences or seminars that might provide somebody with background on DoD regulations and requirements for computer security, including regulations about TEMPEST. As I am more involved with multi-level computer security (as opposed to the DoD side of things), I though I might toss out the request. Does anyone know of conferences or seminars which might fit the bill? Daniel Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149 Home :8333 Columbus Avenue #17 * Sepulveda CA 91343 * 818/892-8555 Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest" ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061912560300> From: Reality is not an Industry Standard 20-JUN-1989 20:36:03 To: security@marist Subj: [506] Envelopes A site I worked at used tyvek (tm?) envelopes and sealed them with a few drops of an epoxy. It was very difficult to spray them with "see- through" stuff (I prefer DEC tape unit cleaning fluid) and the epoxy drops ripped off fibers of they were forced. I prefer to leave the pager or phone number of two people who know system access passwords since a problem and security breach are known in real-time. Unfortunately this is not always possible. J. Peterson/Sys Eng LIU/South PETERSON@LIUVAX.BITNET ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061913092500> From: peter%ficc@uunet.uu.net (Peter da Silva) 20-JUN-1989 20:49:25 To: misc-security@uunet.uu.net Subj: [1009] Re: GNU, security, and RMS > No security on the computer is similar to allowing anyone to come into > your office and look at anything they please, and also to allow them to > change anything they please. I doubt if many people would like this. I think you have this backwards. In no place I have worked has there been any security protecting the contents of people's offices from such intrusion, at least below management levels. In school, however, personal security is taken much more seriously. Every TA and advisor has a lock on their door, lockers for students are available in most buildings, etc... Security in computer systems at the typical commercial/industry site is mainly to (1) keep intruders out, and (2) keep people from accidentally damaging each others files. And both of these are useful features. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061916262900> From: guy@ksr.com 21-JUN-1989 0:06:29 To: security@rutgers.edu Subj: [311] Re: High-Tech Knife Well, I once had a pair of scissors confiscated by airline security before they would let me board a low-risk, Memphis-to-Boston flight. It sounds like you just happened to encounter a fairly sensible airline security character; they're not all like that. -- Guy Hillyer ksr!guy@harvard.harvard.edu ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907042318.AA22430@ucbarpa.Berkeley.EDU] <1989061916275800> From: TS0404@OHSTVMA.Berkeley.EDU (Pat Ratz) Newsgroups: misc.security Subject: MIS Training Inst. Conference Message-ID: <8907042318.AA22430@ucbarpa.Berkeley.EDU> Date: 19 Jun 89 16:27:58 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 12 Approved: security@rutgers.edu Posted: Mon Jun 19 17:27:58 1989 I'm new to this list. Has anyone attended MIS Training Institute's conference on Control, Audit, and Security of IBM Systems? I sent for some info on it and I'd like to know if it would be worth attending. Also any comparison info relative to Computer Security Institute's conference. We are in the midst of installing Top Secret on our MVS system on an IBM 3081D. We have lots of other hardware and software here at OSU including VM, DEC, UNIX. Its all networked together using TCP/IP. I would also be interested in hearing from any other university people who using Top Secret. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989061916544700> From: rjg@sialis.mn.org (Robert J. Granvin) 21-JUN-1989 0:34:47 To: misc-security@uunet.uu.net Subj: [1354] Re: passwords >We set up three accounts, with names other than "root", and >uid 0, gid 1. Each account has it's own password, and I >changed the "root" password to something I've already forgotten. However, you have effectively quadrupled your chances for an unauthorized entry, assuming that someone out there knows the other names of the "root users". > mine is "radish". At this point, you've already given one away. Now the world knows that the account "radish" is a root account. One can also assume that "root" still exists. Knowing that "root vegetables" were used to name the other accounts, guesses can be made as to the other account names. Even if they weren't root accounts, it's still a basis to start from... While it may have improved internal security a bit (though I can't actually see how), you've statistically increased your opportunities for a damaging forced entry. Four accounts with four passwords doesn't really do anything to improve your security. Without knowing anything about your internal specifics, I'd personally say you've damaged it... -- ________Robert J. Granvin________ INTERNET: rjg@sialis.mn.org ____National Computer Systems____ CONFUSED: rjg%sialis.mn.org@shamash.cdc.com __National Information Services__ UUCP: ...uunet!rosevax!sialis!rjg "Exxon: Our gasoline contains no sea water" ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906301505.AA04576@ucbarpa.Berkeley.EDU] <1989062014350000> From: ELTRUT@MSSTATE.BITNET (Michael K. Blackstock) Newsgroups: misc.security Subject: Re: auto-call-back modems Message-ID: <8906301505.AA04576@ucbarpa.Berkeley.EDU> Date: 20 Jun 89 14:35:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 21 Approved: security@rutgers.edu Posted: Tue Jun 20 15:35:00 1989 Here is an ad taken from "computer shopper" Mar. 89. "FINAL CLOSEOUT/SRICE SLASHED! Lockheed-Getex modems now priced below our cost! ..300/1200-baud ..Choice of security levels including selective and nonselective callback ..Non-hayes compatible and any computer...that has industry standard RS-232C port " can use it "... NOW $29 + $4 S/H Item # H-4206-7344-195 COMB 1-800-328-0609 I have got two of them. I am using one of them right now, with a Lear Siegler Terminal. The other one is for my PC. BITNET: ELTRUT@MSSTATE -Michael ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062017592400> From: strauss@aerospace.aero.org (Daryll Strauss) 22-JUN-1989 1:39:24 To: misc-security@rutgers.edu Subj: [1038] Re: High-Tech Knife I carry my Swiss Army knife with me all the time, and my usual routine is to hand it to the security gaurd on my way through the metal detector. They usually don't bother to open it, but when they do, they are checking that the blade is less than 3 and 1/2 inches long. I believe that is the current FAA limit. The security people are reasonable, and some of them even have a sense of humour! I got quite a chuckle when I was returning from a trip to Mexico. I was 18 (and looked younger), and I was carrying 2 liters of Tequila. The security gaurd X-ray'd my bag and just laughed. It wasn't his job to stop minors from drinking! The thing that is much more scarey is when I was leaving Pittsburgh on one trip and forgot to remove my knife and the metal detector did NOT go off! That really made me worry. ------------------------------------------------------------------------------- Daryll Strauss f The Aerospace Corp. strauss@aerospace.aero.org n Mail Stop: M1-102 ..!uunet!aero.org!strauss o P.O. Box 92957 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062018344700> From: deh@eng.umd.edu 22-JUN-1989 2:14:47 To: Makey@logicon.arpa Subj: [1325] Re: High-Tech Knife Cc: security@pyrite.rutgers.edu The airline security people are in general pretty reasonable, once they understand what something is, and can make a jungement on letting it through or not. A lot of people flame them for asking a lot of questions about things that are strange to them, but they are just trying to understand what the item is and how it fits into their mission. I used to lug a TI Silent 725 around airports a lot, in the US and internationally, and most of them needed to see the insides of it, since the X-rays did nothing to help my case (the damned things look so much like a bomb when you X-ray them it is not funny). From the viewpoint of the security people this thing was: 1. a large container with lights and switches that could hold enough explosives to blow the whole airport up. [after x-ray] 2. a large container with lights and switches that contains battery looking things, wires, explosive looking things, more wires, etc. [after I take off the inner cover] 3. a large frame with lights, switches, capacitors, wires, a roll of paper, circut cards, more waires, but no sign of anything that might be a problem for their security rules... Of course, technology has progressed, but a Compaq 386 portable does not look a lot better under x-ray, and is a whole lot harder to open... Doug ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062019105400> From: GREENY 22-JUN-1989 2:50:54 To: Subj: [1774] re: chronic losing of keys... > this could be good if you are a chronic loser of keys... Well if that is the case, then investigate the Schlage Key-n-Keyless entry deadbolt/doorknob combination. Basically this is a set up that uses an electronic circuit to all you to unlock the deadbolt AND the doorknob locks without a key, or with the key if you have it. When you leave the room/apt/whatever, you press a button, open the door and after closing the door, you turn what is normally the security sheath (rim) around the deadbolt cylinder to the right....this locks the deadbolt, and away you walk. upon returning, you turn the door knob until the led display (just one 1/4" number only) lights up. Then via a combination of left and right turns of the door knob you enter the combination. If you do it right, a "U" shows up in the display, the thing beeps, and you can turn the security sheath of the deadbolt to the left, thereby unlocking the deadbolt. Then you use the door knob normally and enter in. Several problems with this lock are: 1) the whole thing is made of that crappy cheapo metalic ABS plastic and one good whack with a sledgehammer would take it right off the door. (although the deadbolt cylinder, door knob appear to be normal metal) 2) If the batteries die, and you dont have the key, then you have to either call a locksmith to pick it open for you or you have to do it... 3) I dont like the idea of having to push a button when I leave a room this should be automatic... Basically this lock would be good for closets, storerooms, etc,, where what's wants something flashier than a sentex pushbutton lock... Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: Greeny ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906301338.AA04058@ucbarpa.Berkeley.EDU] <1989062121382600> From: gwyn@BRL.MIL Newsgroups: misc.security Subject: Re: Envelopes Message-ID: <8906301338.AA04058@ucbarpa.Berkeley.EDU> Date: 21 Jun 89 21:38:26 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 9 Approved: security@rutgers.edu Posted: Wed Jun 21 22:38:26 1989 >A site I worked at used tyvek (tm?) envelopes and sealed them with a few >drops of an epoxy. This is probably beyond the bounds of reasonable paranoia, but you should be aware that the standard technique for removing a document from a sealed envelope is to insert a slotted rod at the corner, roll the contents onto the rod, and slip it out as a thin tube. Of course it's reinserted by reversing the process. Thus, the corners of the envelope need special attention. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062210352100> From: ijk@cbnewsh.att.com (ihor.j.kinal) 23-JUN-1989 18:15:21 To: misc-security@att.att.com Subj: [450] Re: car locks Wondering thru the local car parts store, I came across a device to make your steering wheel DETACHABLE!!! REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves. Cost - around $80. If I owned a Ferrari, I might get one - but I'd check first that it did not release TOO easily - might be a bit disconcerting if you reach out to adjust the tilt, and instead wind up disconnecting!!! Ihor Kinal cbnewsh!ijk [standard disclaimer applies] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062210484400> From: nanovx!msa3b!kevin@gatech.edu (Kevin P. Kleinfelter) 23-JUN-1989 18:28:44 To: nanovx!misc-security@gatech.edu Subj: [598] Re: Consensus on locks? I don't know about a consensus on pick-proof, but I've been burglarized 3 times in 3 different locations. In 2 cases the door was jimmied; in the 3rd, the door and the jamb were found in toto on my living room rug. I strongly believe in a "jimmy-proof" lock, which usually has several pins on one side, which slide into holes on the other. I've NEVER had a lock picked or credit-carded, but at least 2 were simply crow-barred. (I don't have a jimmy-proof lock now; I've decided "what's the use") -- Kevin Kleinfelter @ Management Science America, Inc (404) 239-2347 gatech!nanovx!msa3b!kevin ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906302232.AA10451@ucbarpa.Berkeley.EDU] <1989062211511900> From: oster@DEWEY.SOE.BERKELEY.EDU (David Phillip Oster) Newsgroups: misc.security Subject: IBM Mainframe rs232 call-back software=Defender interface? Message-ID: <8906302232.AA10451@ucbarpa.Berkeley.EDU> Date: 22 Jun 89 11:51:19 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 16 Approved: security@rutgers.edu Posted: Thu Jun 22 12:51:19 1989 I'm looking for information about a software package named "Defender" that runs on IBM mainframes. It provides 3270 emulation over rs232 lines connected to inexpensive modems. It uses a hang up and call-back approach. My questions: What kind of terminal does it expect to see at the remote end? Does the 3270 emulation require a terminal that accepts ANSI control commands or something wierder? Does it provide any file transfer protocols, and if so, which ones? --- David Phillip Oster --"Unix Version 7 was an improvement not Arpa: oster@dewey.soe.berkeley.edu --only over its predeccessors, but also its Uucp: {uwvax,decvax}!ucbvax!oster%dewey.soe.berkeley.edu --successors." ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907110332.AA08752@ucbarpa.Berkeley.EDU] <1989062319320000> From: ACEH0@ais.ucla.edu (Elie Harel) Newsgroups: misc.security Subject: Thumb scanning devices Message-ID: <8907110332.AA08752@ucbarpa.Berkeley.EDU> Date: 23 Jun 89 19:32:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 10 Approved: security@rutgers.edu Posted: Fri Jun 23 20:32:00 1989 Does anyone have experience with door locking devices that incorporate thumb scanning techniques instead of magnetic cards? It would be nice to eliminate the need for carrying magnetic cards for secure areas but in the same time maintain or improve the security level that these techniques provide. Any information on issues such as vendors, costs, characteristics, technical problems, administrative problems, security levels, and especially your own experience will be greatly appreciated. Thanks. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907110712.AA10731@ucbarpa.Berkeley.EDU] <1989062518275900> From: MOG::REX@ISDMNL.MENLO.USGS.GOV (Rex Sanders) Newsgroups: misc.security Subject: Re: passwords Message-ID: <8907110712.AA10731@ucbarpa.Berkeley.EDU> Date: 25 Jun 89 18:27:59 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 25 Approved: security@rutgers.edu Posted: Sun Jun 25 19:27:59 1989 >Knowing that "root vegetables" were used to name >the other accounts, guesses can be made as to the other account names. Note the explanation in the original article for choosing "root vegetable" names - this was done to let insiders know when root users were logged in. >While it may have improved internal security a bit (though I can't >actually see how), you've statistically increased your opportunities >for a damaging forced entry. Four accounts with four passwords >doesn't really do anything to improve your security. I agree that we have increased the chances for outside entry into our system. However, most of the "experts" I've heard from or read about state the biggest danger is from inside jobs. We have improved internal security by providing more accountability for actions taken with root permissions e.g. "Who modified that system file?". Also, as stated in the original article, the "one account, one-person-knows-password" rule was passed down from Higher Authorities. Perhaps this last point illustrates an old idea - set up a rule (law), and someone will comply with the letter of the rule while violating the objective (spirit). -- Rex Sanders, rex@isdmnl.menlo.usgs.gov ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062713220300> From: pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?) 28-JUN-1989 21:02:03 To: security@pyrite.rutgers.edu, pyron@tilde.csc.ti.com Subj: [637] DECUS Security SIG Is there anyone on this list who took part in any of the sessions at the Spring DECUS (Atlanta) on forming a Security SIG? I haven't heard from anyone since then, and my management wants to know where it is going. Please reply directly to me. Dillon Pyron | The opinions are mine, the facts TI/DSEG Lewisville Computer Services | probably belong to the company. pyron@lvvax1.csc.ti.com | (214)462-5449 | We try, we learn, sometimes we die. | We sit on our butts, learn nothing, | and we still die. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062717392200> From: gwyn@brl.arpa (Doug Gwyn) 29-JUN-1989 1:19:22 To: security@rutgers.edu Subj: [691] Re: DES export laws >Try substituting "tanks" for "DES implementations". There is a fundamental difference. Tanks can obviously be used to assault you, to violate rights of individuals on a large scale. Effective encryption technology could be used to prevent your eavesdropping, to protect the rights of persons communicating. I see no way to claim that NSA or anyone else has a "right" to be able to snoop on other people's conversations. I don't dispute that such snooping can produce useful information, but it is not information to which we are in principle entitled. As much as I love cryptanalysis, I would welcome a world in which people can be sure their communications are secure against snoops. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907180057.AA07715@ucbarpa.Berkeley.EDU] <1989062718044400> From: janw@janus.UUCP (Jan Wortelboer) Newsgroups: misc.security Subject: Multipurpose Security System (for) Users Message-ID: <8907180057.AA07715@ucbarpa.Berkeley.EDU> Date: 27 Jun 89 18:04:44 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Tue Jun 27 19:04:44 1989 Is there anybody who knows about a General Purpuse Security System, for a computer system(UNIX) with inventive Users? I am using Convergent's with informix and would like to make the system secure, (as far as it goes). If there is, i would like to know about it. Thanks for any help. Jan -- Usenet: janw@janus.fwi.uva.nl, Uucp: {uunet,...}!hp4nl!janus!janw Jan Wortelboer,Tel.Prive 020-913169,TOPDATA / Compact Informaticadiensten nv Kantoorgebouw "Oosterpoort" Pegasusweg 18 3067 KX Rotterdam Tel: {+31|0}10-4552644 Telefax {+31|0}10-4554682 Telex: 26727 .. NL ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062719145200> From: cme@cloud9.stratus.com (Carl Ellison) 29-JUN-1989 2:54:52 To: linus!misc-security@ursa-major.spdcc.com Subj: [1738] Re: DES export laws > Should the US therefore be willing to export tanks to anyone who wants them? > Suppose the US manufactured military radios containing very strong encryption > technology. Should we be willing to sell those to anyone who wanted them? Sorry -- this argument doesn't wash. Weapons and weapons systems, like tanks, derive military value from things like the materials with which they're made, the workmanship used, .... Sometimes there's value added in the add-on electronic packages. In all of these cases, posession of the physical object implies military value. Therefore, sale and delivery of the object constitutes increasing the military strength of the recipient. An encryption device has only a trivial value by way of its parts. (eg., there was a sliding alphabet device during WW-II which had particular value because it was made of materials which didn't warp aboard ship in the South Pacific.) The real military value of an encryption device -- that which kills people or saves them from being killed -- is the algorithm itself and devices or algorithms for breaking it. In the case of DES, the algorithm is already known. No one is trying to sell machinery for breaking it. It's possible to buy implementations from overseas so there's no secrecy to protect, either with the algorithm or with how to implement it. So, what does the Government gain by interfering with its export? All I can see being accomplished is the inhibition of a small piece of potential export trade which could have been working against the trade deficit. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (this is STRICTLY my own opinion) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062719542600> From: G.D.Shaw@DURHAM.AC.UK 29-JUN-1989 3:34:26 To: SECURITY@pyrite.rutgers.edu Subj: [2238] Re: DES Export Laws > Try substituting "tanks" for "DES implementations". This is not a valid analogy. Once you have one copy of a DES algorithm, then it is easy to create as many as you like; the same is not true of military hardware. Therefore, even if your enemy has a given number of tanks, or of guns or whatever, it is still in your interest not to give him any more. With software, he only needs to buy or steal one, so if you are going to try to prevent the DES falling into the 'wrong hands', that security must be complete: 1. If the software is on open sale in the US, then you may as well sell it in Moscow too - at least that way, they might pay for it instead of buying one copy in the US and pirating the rest. There is certainly no point in banning it from NATO or neutral countries. 2. If you really want to stop the Russians getting hold of it, then you need strict regulations in the US as well - but if this was effective you would probably have had to prevent any commercial use of the product and restrict it to government agencies only. 3. Even if you did this, it would only be a matter of time before any hostile government was able to steal a copy; indeed, I would be surprised if the Russians are not capable of writing their own DES code. Fast DES chips are a very different matter: though it can undoubtedly be done, copying chips is not a trivial undertaking. The issues at stake are therefore essentially identical to those governing the sale of CPUs or complete computers. Software and hardware pose very different problems, and just because they both relate to the DES they should not be confused. +----------------------------------------------------------------+ | Graham Shaw, Collingwood College, South Road, Durham, ENGLAND | | JANET : G.D.Shaw @ UK.AC.DUR.MTS | | Internet : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu | | EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL | +----------------------------------------------------------------+ | "I always said there was something fundamentally wrong with | | the Universe" - Arthur Dent | +----------------------------------------------------------------+ ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062720184500> From: cme@cloud9.stratus.com (Carl Ellison) 29-JUN-1989 3:58:45 To: linus!misc-security@ursa-major.spdcc.com Subj: [2367] Re: DES export laws > Now suppose the algorithms of the encryption chips were public knowledge, but > actually implementating them as chips with sufficient speed, reliability, low > power consumption, whatever, was very hard. Does your answer change? I say that in that case, if the implementation was done at the Government's request (eg., as part of a defense contract), then they can legitimately lay claim to rights over that implementation. However, if the implementation was done by a private firm strictly on its own money and for the intention of shipping product overseas, then it's none of the Government's business! This is a free market economy we keep bragging about, right? Let's make it stickier. Suppose the algorithm is not in a chip. It's software on a plain vanilla computer. Let's pretend that it's MY software -- and let's also pretend that I'm the best programmer in the world. Therefore, even though this is just software and anyone could have written it, I happen to be the person who wrote it the best. I want to profit from my ability. I want to sell copies of this superior software. I'm not picky. If the U.S.Government wants to buy some copies, I'll sell them some copies. However, I won't sell them exclusive rights to ths software unless they're willing to pay a VERY high price -- to compensate me for the profit I won't be able to make from other customers. Will they sign an exclusive contract and pay that very high price? (I'll wait while you stop laughing.) Well, no, not exactly. What they'll do is make it illegal for me to sell this software outside the U.S. and although they'll allow me to sell and ship it within the U.S., they won't buy any copies from me for themselves. --- and I repeat -- with encryption algorithms, the quality of the implementation doesn't add to the quality of the secrecy (and therefore the military value), but it might add to the satisfaction of the user and therefore to the financial incentive for me to do a good job in the implementation. Killing that financial incentive has only one logical justification -- to keep me out of the business and therefore keep a near monopoly in the hands of the NSA and select defense contractors. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (of course) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062815074100> From: /* Purple Haze */ 29-JUN-1989 22:47:41 To: security@pyrite.rutgers.edu Subj: [274] "not for export" There's been some discussion of software packages labelled "not for export" because they contain DES. Are there any other widely used programs that have this same "not for export" status? I have seen a "not for export" sticker on a box for Turbo Pascal, anyone know why? ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062815423200> From: MJB8949@RITVAX.BITNET 29-JUN-1989 23:22:32 To: SECURITY@pyrite.rutgers.edu Subj: [879] SESCOA software request I'm presently researching the market for software designed to interface a personal computer with a SESCOA 3000 alarm receiver. This is for a 'medium-to-large' size college campus which has been using the SESCOA for several years. If anyone could pass on information about companies with such products, or personal experience with various programs 'in the field', your help would be greatly appreciated. Please note that I'd need to receive any info before July 6 (I know it's not that far away), since I will be on the other side of the country after that. E-Mail would probably be the best, then I can try to summarize for everyone else if it seems others are interested. Thanks. Mike Bunnell 716-475-4263 30 Lowenthal Dr., Box 2767 ('till July 6) Rochester, NY 14623 MJB8949@RITVAX ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062816164100> From: Mr. James Crooks 29-JUN-1989 23:56:41 To: security@pyrite.rutgers.edu Subj: [2259] re: EXPORT OF THE DES >Such implementations have the potential for turning any mini or micro >into a crypto engine. This might fill the ether with traffic that >cannot be readily recognized, raising the cost of signals >intelligence gathering. Don't lose sight of the fact that DES represents ONLY commercial level crypto. Anybody sending something REALLY important wouldn't use DES anyway (gov't/mil). The fact that it is illegal, won't stop the bad guys from smuggling out almost anything they want. In fact is mostly stops the law abiding citizens of the world from getting the protection they need to run their businesses (or at least getting it from the USA - but then NSA doesn't care about the balance of payments gap). >The issue is not secrecy; it is replicability. ... >If the work factor for reading the DES was N, but that of reading a >variant is >N then one might be motivated to discourage variants. But given the fact that in an open marketplace with published alorithms, one finds that other solutions will be provided sooner or later. If NSA was really smart, they might have written public domain standard code then freely distributed it in object form to cut down on the variants - by all means protect the source code with export controls. >>We're locking the barn door -- with the horse inside -- but after the >>back wall fell down. >One does what one can do. This is particularly true if one believes >oneself to be mandated by law to do so. I agree that the law is there, but SHOULD it be there? I really think it boils down to pig-headedness in the security services. At least the US delegation to the ISO Crypto standards stuff abstained rather than vetoing DES (as NSA and the White House wanted them to, or at least that is what I heard...). At least NSA got smarter with the newer algorithms - and kept them classified. Then they were looking for something a bit better than commercial level protection. James W. Crooks Member, Advanced Technology Application Staff BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks DASnet: DW1JW|JCROOKS Compuserve: 72611,162 Envoy 100: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062904285800> From: hwchoy@zpovc.enet.dec.com (Life, The Universe and Everything.) 30-JUN-1989 12:08:58 To: DECWRL"".."security@pyrite.rutgers.edu"@zpovc.enet.dec.com Subj: [143] Ethernet Encryption device Can anyone give me information regarding Ethernet Encryption devices, prices, features and contact address/tel/fax would be welcomed. Thanx. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062905314200> From: gwyn@brl.mil 30-JUN-1989 13:11:42 To: security@rutgers.edu Subj: [472] Re: Envelopes >A site I worked at used tyvek (tm?) envelopes and sealed them with a few >drops of an epoxy. This is probably beyond the bounds of reasonable paranoia, but you should be aware that the standard technique for removing a document from a sealed envelope is to insert a slotted rod at the corner, roll the contents onto the rod, and slip it out as a thin tube. Of course it's reinserted by reversing the process. Thus, the corners of the envelope need special attention. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062906030000> From: monster!paul@csc-lons.af.mil 30-JUN-1989 13:43:00 To: security@csc-lons.uucp Subj: [577] [575] Return-path: Date: Tue Jun 20 08:59:24 1989 From: monster!paul@csc-lons.af.mil To: security@csc-lons.uucp I have had experience with Anderson-Jacobson (sp?) 2400 baud security modems. I did several weeks of testing on them and I believe they will fit what you are looking for. I also had hardware problems with one modem and A-J sent a tech over to my location to help test it, and swap out the bad modem on the spot. It was real nice. The modem offers callback and multilevel security. Take a look, you might like it. Paul Fischer paul%monster@csc-lons.csc.com 1-800-234-6668 Bohdan Associates Inc. "Smile! ... It makes people wonder what you're thinking." ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062906594300> From: Michael K. Blackstock 30-JUN-1989 14:39:43 To: Subj: [556] Re: auto-call-back modems Here is an ad taken from "computer shopper" Mar. 89. "FINAL CLOSEOUT/SRICE SLASHED! Lockheed-Getex modems now priced below our cost! ..300/1200-baud ..Choice of security levels including selective and nonselective callback ..Non-hayes compatible and any computer...that has industry standard RS-232C port " can use it "... NOW $29 + $4 S/H Item # H-4206-7344-195 COMB 1-800-328-0609 I have got two of them. I am using one of them right now, with a Lear Siegler Terminal. The other one is for my PC. BITNET: ELTRUT@MSSTATE -Michael ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062907442300> From: tsibouris@vms.macc.wisc.edu (GEORGE TSIBOURIS) 30-JUN-1989 15:24:23 To: misc-security@uunet.uu.net Subj: [693] RANDOM vs DETERMINISTIC systems I am not certain that this is the right forum but here it goes anyways. Does anyone know to distinguish a system that spits out a sequence of "truly" random numbers (neutron decay of some radioactive material) from a system that has a complex (non-linear) but deterministic structure? A similar question is: how can you distinguish a good random number generator from a great one? What tests are used? I am rather new to this area but I am familiar with correlation integrals and the correlation dimension. Any references on the above topic would be greatly appreciated. Thank you, George Tsibouris tsibouris@vms.macc.wisc.edu (Internet) tsibouris@wiscmacc (Bitnet) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062908285700> From: hollombe@ttidca.tti.com (The Polymath) 30-JUN-1989 16:08:57 To: misc-security@sdcsvax.ucsd.edu Subj: [2449] Re: Kevin Mitnick }I personally feel the man is just a criminal, like the guy that robs a 7/11, }no better but certainly not any worse. A number of people have been killed in 7/11 robberies. How bad is that? }... Sure he did things like access and perhaps even altered }Police Dept. criminal records, credit records at TRW Corp, and Pacific }Telephone, disconnecting phones of people he didn't like etc. }But what is not understood by most people outside of the hack/phreak world is }that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME. Therefore Mitnick's guilt is less? More appropriately, we should throw the book at him and go after similar criminals/sociopaths just as aggressively. }1.) He will not be treated fairly. He will be judged as a much greater threat }to society then others that have committed simular crimes. That's his lawyer's problem. }2.) He will become some kind of folk hero. A Jesse James with a keyboard. Not if he's found guilty and harshly sentenced. There's little glory in 20 years behind bars with no access to his favorite toys. }I'm not defending him or the things he has done in any sense. All I'm saying }is lets be fair. Judge the man by the facts, not the headlines. Let's trust the jury to do just that. Despite the image of a chaotic court system, created by the same media hype of a few odd cases, juries, by and large, have been shown to be fairly efficient at fact finding and interpretation and ignoring media bull. BTW, my impression from the news media is that Mitnick isn't a super hacker, or even much of a hacker, at all. He's more a classic, textbook sociopath. Most of the times he gained access to systems he did so not with computer expertise, but by conning the owners into giving him the needed passwords. That ability to inspire trust, combined with the conscienceless willingness to abuse it, is a classic symptom of sociopathy. It has nothing to do with computer expertise. If he didn't know anything about computers Mitnick would probably be an embezzler or a used car salescritter. I suspect society will be much better off with him isolated and neutralized (and that should keep me off the jury, at least). -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062913463400> From: "Daniel L. Laser" 30-JUN-1989 21:26:34 To: security@tcsvm Subj: [597] Requesting Information on Security Policies We are in the process of trying to formulate an INFORMATION SECURITY POLICY for our campus. This policy as we envision it would be campus wide and would serve as the foundation for other more specific information related security policies concerning electonic data systems, reports, departmental p.c. systems, etc. I would appreciate samples of the information security policies that you are using on your campuses. Thanks, ==========================>>> Daniel L. Laser - Associate Director ==========================>>> Trinity University Computing Center Acknowledge-To: ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062914245000> From: oster@dewey.soe.berkeley.edu (David Phillip Oster) 30-JUN-1989 22:04:50 To: misc-security@ucbvax.berkeley.edu Subj: [696] IBM Mainframe rs232 call-back software=Defender interface? I'm looking for information about a software package named "Defender" that runs on IBM mainframes. It provides 3270 emulation over rs232 lines connected to inexpensive modems. It uses a hang up and call-back approach. My questions: What kind of terminal does it expect to see at the remote end? Does the 3270 emulation require a terminal that accepts ANSI control commands or something wierder? Does it provide any file transfer protocols, and if so, which ones? --- David Phillip Oster --"Unix Version 7 was an improvement not Arpa: oster@dewey.soe.berkeley.edu --only over its predeccessors, but also its Uucp: {uwvax,decvax}!ucbvax!oster%dewey.soe.berkeley.edu --successors." ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1989062914573600> From: nevin1@cbnewsc.att.com (nevin.j.liber) 30-JUN-1989 22:37:36 To: misc-security@att.att.com Subj: [1437] Re: Request: Computer Security [from Doron Zifrony in comp.misc. He does not get misc.security; please respond directly to Doron (and not ME) directly via email.] Hello people! I hope this is the right newsgroup to post it. I am interested in starting a PhD in computer science or a related area. I am interested in the field of "computer security". Unfortunately, I have no knowledge of universities anywhere around the globe, which include people researching in this area, which may advice me in my thesis. I would welcome any information which will allow me to get in touch with souch people for further discussion. I prefer an english-speaking country, or an hebrew-speaking country, as I do not master any other language (I stutter a bit in French, but I do not master it). However, I'll be willing to learn other languages if the need arrises. Please E-mail me responses, as I do not check this newsgroup often. Thanks -- Doron Zifrony E-mail: BITNET: zifrony@taurus.bitnet Msc. Student INTERNET: zifrony@Math.Tau.Ac.IL Dept. of CS ARPA: zifrony%taurus.bitnet@cunyvm.cuny.edu Tel Aviv Univ. UUCP: ...!uunet!mcvax!humus!taurus!zifrony Israel CSNET: zifrony%taurus.bitnet%cunyvm.cuny.edu@ csnet-relay -- Disclaimer: I DON'T represent Tel Aviv University. The opinions hereby expressed are solely my own. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907181404.AA14121@ucbarpa.Berkeley.EDU] <1989062921332000> From: SUSAN@YALEVM.BITNET (Susan Bramhall) Newsgroups: misc.security Subject: Encryption hardware/software available? Message-ID: <8907181404.AA14121@ucbarpa.Berkeley.EDU> Date: 29 Jun 89 21:33:20 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 27 Approved: security@rutgers.edu Posted: Thu Jun 29 22:33:20 1989 Please excuse me if you receive multiple copies of this note. I am sending it to several lists which may have a subscriber who has relevant information. We are interested in providing an encrypting gateway for our campus network. The idea is that users on certain LANs considered secure wish to send data across an unsecured ethernet spine and eventually into another secure LAN or host. We have several ideas for the gateway (based on previous software developed at Yale) but would like to acquire a software or, preferably hardware, encryptor. Ideally, it would be a card with the ability to encrypt/decrypt on its own chip rather than taking up workstation CPU cycles. We would pass it data and a key and it would return encrypted data. The gateway is being built on an IBM PS/2. Any leads would be very much appreciated. I also wonder if other sites are thinking about this problem and, if so, what sort of solution are you looking at? All of the security discussions which I have seen are concerned with authorization and access control (such as dial back) rather than encryption of data. Does anyone know of a forum where this has been discussed? Note, by the way, that we are not planning to do any research into encryption algorithms, a subject I am happy to leave to the mathematicians. Since I do not subscribe to ANY of the lists, please send replies directly to me (as well as the list if you like). Thanks for in advance for your help. Susan Bramhall Senior Research Programmer ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906292315.AA28070@ucbarpa.Berkeley.EDU] <1989062923160900> From: NCASTELLANO@EAGLE.WESLEYAN.EDU (/* Purple Haze */) Newsgroups: misc.security Subject: "not for export" Message-ID: <8906292315.AA28070@ucbarpa.Berkeley.EDU> Date: 29 Jun 89 23:16:09 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 4 Approved: security@rutgers.edu Posted: Fri Jun 30 00:16:09 1989 X-Unparsable-Date: 18-JUN-1989 15:58:04.45 There's been some discussion of software packages labelled "not for export" because they contain DES. Are there any other widely used programs that have this same "not for export" status? I have seen a "not for export" sticker on a box for Turbo Pascal, anyone know why? ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8906300022.AA28737@ucbarpa.Berkeley.EDU] <1989063000221800> From: JIM@iss.nus.ac.sg (Mr. James Crooks) Newsgroups: misc.security Subject: re: EXPORT OF THE DES Message-ID: <8906300022.AA28737@ucbarpa.Berkeley.EDU> Date: 30 Jun 89 00:22:18 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 45 Approved: security@rutgers.edu Posted: Fri Jun 30 01:22:18 1989 X-Unparsable-Date: Tue, 13 Jun 89 12:06:32 SST >Such implementations have the potential for turning any mini or micro >into a crypto engine. This might fill the ether with traffic that >cannot be readily recognized, raising the cost of signals >intelligence gathering. Don't lose sight of the fact that DES represents ONLY commercial level crypto. Anybody sending something REALLY important wouldn't use DES anyway (gov't/mil). The fact that it is illegal, won't stop the bad guys from smuggling out almost anything they want. In fact is mostly stops the law abiding citizens of the world from getting the protection they need to run their businesses (or at least getting it from the USA - but then NSA doesn't care about the balance of payments gap). >The issue is not secrecy; it is replicability. ... >If the work factor for reading the DES was N, but that of reading a >variant is >N then one might be motivated to discourage variants. But given the fact that in an open marketplace with published alorithms, one finds that other solutions will be provided sooner or later. If NSA was really smart, they might have written public domain standard code then freely distributed it in object form to cut down on the variants - by all means protect the source code with export controls. >>We're locking the barn door -- with the horse inside -- but after the >>back wall fell down. >One does what one can do. This is particularly true if one believes >oneself to be mandated by law to do so. I agree that the law is there, but SHOULD it be there? I really think it boils down to pig-headedness in the security services. At least the US delegation to the ISO Crypto standards stuff abstained rather than vetoing DES (as NSA and the White House wanted them to, or at least that is what I heard...). At least NSA got smarter with the newer algorithms - and kept them classified. Then they were looking for something a bit better than commercial level protection. James W. Crooks Member, Advanced Technology Application Staff BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks DASnet: DW1JW|JCROOKS Compuserve: 72611,162 Envoy 100: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907110922.AA11434@ucbarpa.Berkeley.EDU] <1989063018583300> From: edb@sequent.UUCP (Edward Bunch) Newsgroups: misc.security Subject: Home Security/Control Systems. Message-ID: <8907110922.AA11434@ucbarpa.Berkeley.EDU> Date: 30 Jun 89 18:58:33 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 13 Approved: security@rutgers.edu Posted: Fri Jun 30 19:58:33 1989 I am interested in finding out more about Home Security/Control Systems. You know, the ones that not only tell you if someone is breaking in but control lights while your out and make coffee for you in the morning. Please Email me direct. Thanks, ----------- Edward A. Bunch | |/ | UUCP: {sun,fai,uunet}! Sequent Computer Systems, Inc. | /|/ | sequent!edb Network Manager | /| | DOMAIN: not yet ;-) | | ----------- ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907191923.AA03140@ucbarpa.Berkeley.EDU] <1989063020304700> From: SYKLB@NASAGISS.BITNET (Ken Bell) Newsgroups: misc.security Subject: Re: DES export laws Message-ID: <8907191923.AA03140@ucbarpa.Berkeley.EDU> Date: 30 Jun 89 20:30:47 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 8 Approved: security@rutgers.edu Posted: Fri Jun 30 21:30:47 1989 > >Try substituting "tanks" for "DES implementations". > There is a fundamental difference. Tanks can obviously be used to assault There's another difference. You can't carry tanks over in your briefcase or buy the plans for them at B. Dalton's. There's an awful lot of published DES code, and various PC utilities (PCTOOLS, for example) contain DES. The only ones who are being deprived of DES are the non-security risks - the spies/terrorists already have it. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [8907192042.AA04325@ucbarpa.Berkeley.EDU] <1989063022210000> From: PETERSEN@CTRVX1.VANDERBILT.EDU (Chris Petersen - VUCC) Newsgroups: misc.security Subject: Re: DES Export Laws Message-ID: <8907192042.AA04325@ucbarpa.Berkeley.EDU> Date: 30 Jun 89 22:21:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Fri Jun 30 23:21:00 1989 > indeed, I would be surprised > if the Russians are not capable of writing their own DES code. I could have sworn I saw a posting about an article in a Soviet computer science journal that gave an algorithm for breaking badly chosen keys for DES. I may have even seen it [the reference] here... -Chris Petersen Vanderbilt University petersen@ctrvax.vanderbilt.edu Disclaimer: If I say anything at all, it is strictly off the record and should in no way be construed as legal or binding or even authoritative or responsible... :-) ----MESSAGE-END----